[英]Using HAProxy in docker with host network
When running HAProxy in a docker container, we can only see (and forward) the original client's IP when running the container with the --net=host
option as described here .在 docker 容器中运行 HAProxy 时,在使用--net=host
选项运行容器时,我们只能看到(并转发)原始客户端的 IP,如此处所述。
Our question: Is this advisable from a security standpoint?我们的问题:从安全的角度来看,这样做是否可取? Will this allow attackers more easily to exploit HAProxy vulnerabilities?这会让攻击者更容易利用 HAProxy 漏洞吗? Or is it common practice?还是这是普遍做法?
Well --net=host
is a common practice to expose a container to the public interface.那么--net=host
是一种将容器暴露给公共接口的常见做法。 If you don't set --net=host
will the haproxy not be reachable outside of the docker network.如果您不设置--net=host
将无法在 docker 网络之外访问 haproxy。
If you are running docker swarm then you will get an IP from swarm ingress network in your X-Forwarded-For header.如果您正在运行 docker 群,那么您将从 X-Forwarded-For header 中的群入口网络获得 IP。
You can work around this by using --network=host
but then you cannot connect the container to other overlay networks which might cause issues in your setup.您可以使用--network=host
解决此问题,但是您无法将容器连接到其他覆盖网络,这可能会导致您的设置出现问题。 For example if you want to connect HAProxy to other containers.例如,如果您想将 HAProxy 连接到其他容器。
Fortunately you can use --publish mode=host,...
instead of the default --publish mode=ingress
to directly bind to the external ip.幸运的是,您可以使用--publish mode=host,...
而不是默认的--publish mode=ingress
直接绑定到外部 ip。
Then HAProxy will see the real client ip.然后HAProxy会看到真正的客户端ip。 Also see https://github.com/docker-archive/dockercloud-haproxy/issues/134#issuecomment-288485710另请参阅https://github.com/docker-archive/dockercloud-haproxy/issues/134#issuecomment-288485710
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.